Bypass UAC Using SilentCleanup Task

Apr 28, 2026 · attack.privilege-escalation attack.t1548.002 ·

Detects the setting of the environement variable "windir" to a non default value. Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.

Sigma rule (View on GitHub)

 1title: Bypass UAC Using SilentCleanup Task
 2id: 724ea201-6514-4f38-9739-e5973c34f49a
 3status: test
 4description: |
 5    Detects the setting of the environement variable "windir" to a non default value.
 6    Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task.
 7    The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.    
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task
10    - https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
11    - https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign
12author: frack113, Nextron Systems
13date: 2022-01-06
14modified: 2024-01-30
15tags:
16    - attack.privilege-escalation
17    - attack.t1548.002
18logsource:
19    category: registry_set
20    product: windows
21detection:
22    selection:
23        TargetObject|endswith: '\Environment\windir'
24    filter_main_default:
25        Details: '%SystemRoot%'
26    condition: selection and not 1 of filter_main_*
27falsepositives:
28    - Unknown
29level: high
30regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task/info.yml
31simulation:
32    - type: atomic-red-team
33      name: Bypass UAC using SilentCleanup Task
34      technique: T1548.002
35      atomic_guid: 28104f8a-4ff1-4582-bcf6-699dce156608

Bypass UAC Using SilentCleanup Task

Sigma rule (View on GitHub)

References

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task

https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/

https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign

Related rules